{"url":"http://public2.vulnerablecode.io/api/packages/64451?format=json","purl":"pkg:composer/smarty/smarty@4.3.1","type":"composer","namespace":"smarty","name":"smarty","version":"4.3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.5.3","latest_non_vulnerable_version":"5.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55076?format=json","vulnerability_id":"VCID-a3yk-8fmf-x7fw","summary":"Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag\nTemplate authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35226","reference_id":"","reference_type":"","scores":[{"value":"0.00279","scoring_system":"epss","scoring_elements":"0.51546","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00279","scoring_system":"epss","scoring_elements":"0.51578","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00279","scoring_system":"epss","scoring_elements":"0.516","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00279","scoring_system":"epss","scoring_elements":"0.51593","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35226"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35226"},{"reference_url":"https://github.com/smarty-php/smarty","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/smarty-php/smarty"},{"reference_url":"https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/"}],"url":"https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529","reference_id":"1072529","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072529"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530","reference_id":"1072530","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35226","reference_id":"CVE-2024-35226","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35226"},{"reference_url":"https://github.com/advisories/GHSA-4rmg-292m-wg3w","reference_id":"GHSA-4rmg-292m-wg3w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4rmg-292m-wg3w"},{"reference_url":"https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w","reference_id":"GHSA-4rmg-292m-wg3w","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-03T18:08:18Z/"}],"url":"https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w"},{"reference_url":"https://usn.ubuntu.com/7158-1/","reference_id":"USN-7158-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7158-1/"},{"reference_url":"https://usn.ubuntu.com/7377-1/","reference_id":"USN-7377-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7377-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81675?format=json","purl":"pkg:composer/smarty/smarty@4.5.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/81674?format=json","purl":"pkg:composer/smarty/smarty@5.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/742527?format=json","purl":"pkg:composer/smarty/smarty@5.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@5.2.0"}],"aliases":["CVE-2024-35226","GHSA-4rmg-292m-wg3w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a3yk-8fmf-x7fw"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44786?format=json","vulnerability_id":"VCID-3829-yarc-yqh3","summary":"smarty Cross-site Scripting vulnerability in Javascript escaping\nAn attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28447","reference_id":"","reference_type":"","scores":[{"value":"0.01189","scoring_system":"epss","scoring_elements":"0.79187","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01189","scoring_system":"epss","scoring_elements":"0.79173","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01189","scoring_system":"epss","scoring_elements":"0.79184","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01189","scoring_system":"epss","scoring_elements":"0.79192","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28447"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447"},{"reference_url":"https://github.com/smarty-php/smarty","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/smarty-php/smarty"},{"reference_url":"https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBB35GLYTL6JL6EOM6BOZNYP47JKNNHT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7O7SKTATM6GAP45S64QFXNLWIY5I7HP"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964","reference_id":"1033964","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965","reference_id":"1033965","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033965"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28447","reference_id":"CVE-2023-28447","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28447"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml","reference_id":"CVE-2023-28447.YAML","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2023-28447.yaml"},{"reference_url":"https://github.com/advisories/GHSA-7j98-h7fp-4vwj","reference_id":"GHSA-7j98-h7fp-4vwj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7j98-h7fp-4vwj"},{"reference_url":"https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj","reference_id":"GHSA-7j98-h7fp-4vwj","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj"},{"reference_url":"https://usn.ubuntu.com/6550-1/","reference_id":"USN-6550-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6550-1/"},{"reference_url":"https://usn.ubuntu.com/7158-1/","reference_id":"USN-7158-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7158-1/"},{"reference_url":"https://usn.ubuntu.com/8242-1/","reference_id":"USN-8242-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8242-1/"},{"reference_url":"https://usn.ubuntu.com/8242-2/","reference_id":"USN-8242-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8242-2/"},{"reference_url":"https://usn.ubuntu.com/8272-1/","reference_id":"USN-8272-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8272-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64452?format=json","purl":"pkg:composer/smarty/smarty@3.1.48","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a3yk-8fmf-x7fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@3.1.48"},{"url":"http://public2.vulnerablecode.io/api/packages/64451?format=json","purl":"pkg:composer/smarty/smarty@4.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a3yk-8fmf-x7fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.1"}],"aliases":["CVE-2023-28447","GHSA-7j98-h7fp-4vwj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3829-yarc-yqh3"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/smarty/smarty@4.3.1"}